What Is an Internal Audit in a Quality Management System?

An internal audit in a quality management system (QMS) is a formal, planned evaluation that an organization conducts on its own processes and procedures to verify that the system meets both its documented requirements and applicable regulatory standards. The people conducting the audit work within the organization — which is why internal audits are also called first-party audits — and the process generates documented findings that management uses to make decisions about corrective actions and process improvements.

In regulated industries such as medical devices, pharmaceuticals, and biotechnology, internal audits are required by law and by certification standards. Missing an audit cycle, conducting one without documented evidence, or failing to follow up on findings are all observations that appear in FDA Form 483 reports and warning letters.

What an internal audit actually does

Most quality teams understand that internal audits are required. Fewer treat them as an operational tool rather than a compliance checkbox.

The practical function of an internal audit is to surface the gap between what your procedures say and what your processes actually do. Written SOPs describe the intended operation of a process. An internal audit tests whether the people, systems, and records in the organization reflect that description. When they don't — and they often don't in specific, concrete ways — the audit finding creates an obligation to investigate and correct.

Done consistently, an internal audit program gives quality leadership early visibility into process drift, documentation gaps, and compliance exposures before those same gaps surface during an FDA inspection or a third-party certification audit.

The regulatory requirement across ISO 13485, ISO 9001, and the QMSR

ISO 13485:2016, Clause 8.2.4

ISO 13485 requires medical device manufacturers to plan, establish, implement, and maintain an audit program that covers all processes in the QMS. Clause 8.2.4 specifies that audits must be conducted at planned intervals, that criteria and scope must be defined for each audit, auditors must be selected to ensure objectivity and impartiality, and results must be reported to management and documented. Records must be retained as evidence of the audit program.

The standard is explicit that organizations must not allow auditors to assess their own work.

ISO 9001:2015, Clause 9.2

ISO 9001's internal audit requirements follow the same structure. Clause 9.2 requires organizations to conduct audits at planned intervals to determine whether the QMS conforms to the organization's own requirements and to the standard itself, and whether the system is effectively implemented and maintained. Audit programs must take into account the importance of the processes, changes affecting the organization, and the results of previous audits. Nonconformities found must be corrected without undue delay.

The QMSR and what changed in February 2026

The FDA's Quality Management System Regulation (QMSR), which replaced 21 CFR Part 820 on February 2, 2026, incorporated ISO 13485:2016 by reference. One of the most significant operational changes this created: FDA inspectors can now access internal audit reports, management reviews, and supplier audit records during an inspection.

Under the previous QSR framework, internal audit records were generally protected from FDA review. That protection no longer exists. If your internal audit records are missing, incomplete, or show findings that were never addressed, an FDA investigator reviewing those records during an inspection will see exactly that. (FDA QMSR FAQ, February 2026)

What auditor independence means in practice

Both ISO 13485 and ISO 9001 require that auditors be objective and impartial. The practical meaning: auditors must not evaluate their own work, their own area, or processes they are directly responsible for maintaining.

In a small quality team, this creates a real scheduling challenge. A team of three quality engineers who each own different QMS processes can audit each other's areas. A team of one has a structural problem — they cannot independently audit anything they manage, which in a lean organization is often everything.

The common solutions are cross-functional auditors (trained employees from operations, manufacturing, or R&D), contract auditors, or auditor pools built across sites. Whatever the approach, the independence requirement is not flexible. An audit conducted by someone assessing their own procedures is not compliant and will not hold up to regulatory scrutiny.

Planning an internal audit program

An internal audit program is not a single event. It is an annual or multi-year schedule that ensures every process and requirement in the QMS gets audited over a defined cycle, with higher-risk or higher-change areas audited more frequently.

The planning process involves defining the audit scope for the cycle: which processes, departments, and regulatory requirements will be covered, and how often. A risk-based approach means CAPA management, change control, and supplier qualification typically get more attention than lower-risk administrative processes.

From there, the team builds an audit schedule with specific dates, assigned lead auditors, and defined objectives. The schedule should be documented and approved by quality management.

Each individual audit within the program requires its own inspection plan, including the applicable regulatory clauses, specific questions to be answered, and records to be reviewed. A pre-planned checklist is not bureaucracy — it is evidence that the audit was conducted against a defined scope, which is what regulators check when they review your audit records.

Communicating the schedule to process owners in advance is standard practice for internal programs. The goal is to evaluate how processes actually run, not to catch people unprepared.

What happens during an audit

An internal audit follows a defined sequence. The opening meeting establishes scope, objectives, and logistics with the area being audited. The audit itself involves records review, process observation, and interviews with the people who perform the work.

Records review focuses on whether documented evidence matches what procedures require. If a procedure says deviations must be reviewed within five business days of occurrence, the auditor pulls deviation records and checks the timestamps. If the SOP requires two-signature document approval, the auditor verifies that electronic or wet-ink signatures are present on controlled documents.

Process observation is where internal audits surface findings that records review often misses. Watching a process in real time — how operators actually perform a procedure, how they handle exceptions, whether they reference the current revision of an SOP or a printed copy from six months ago — often reveals the gap between the documented process and the performed one.

Interviews with personnel serve as a check on both records and observation. If a team member cannot describe the process they perform, or describes it in a way that differs from the written procedure, that discrepancy needs to be explored.

The closing meeting summarizes preliminary findings with the auditee before the formal report is written. This is an opportunity to correct any factual errors in the auditor's notes before the written record is finalized.

Documenting findings and closing the loop

Every audit finding must be documented with enough specificity that a corrective action can be written against it. "Document control needs improvement" is not a finding. "Revision 3 of SOP-012 was found posted at Workstation 4, but the current approved version is Revision 5 per the document management system" is a finding. One of these generates an actionable CAPA. The other generates confusion.

Findings are classified as major nonconformities (the process is not operating in compliance), minor nonconformities (isolated gaps or incomplete implementation), or observations (opportunities for improvement that don't rise to the level of a nonconformity). The classification drives the timeline and depth of the required response.

Once the audit report is issued, the quality team and the responsible process owner agree on corrective actions and timelines. Those actions need to be tracked in your CAPA system, not in an email thread or a spreadsheet. The audit trail connecting the original finding to the root cause analysis and the verification of effectiveness is the evidence that your program actually closes the loop.

A root cause investigation is required for nonconformities. Correcting the immediate symptom without understanding what caused it means the same finding will surface in the next audit cycle.

A process audit versus a system audit: the distinction worth knowing

A process audit evaluates a specific process against defined criteria — the inputs, outputs, controls, and resources that make the process work. A system audit evaluates the entire QMS against a standard such as ISO 13485 or ISO 9001. Both are part of a complete internal audit program, and they serve different purposes.

Process audits tend to surface operational issues: a step skipped in a manufacturing process, a record not captured at the right point, a control that exists on paper but is not actually applied. System audits tend to surface structural issues: procedures that don't reference the correct regulatory requirements, elements of the standard that were implemented in one area but not across the organization, or management review inputs that are incomplete.

A mature audit program uses both.

Where most internal audit programs break down

Most internal audit programs are designed adequately on paper. The breakdowns tend to be operational.

Audit schedules get delayed when the auditor is pulled into a product launch, a customer complaint response, or inspection preparation. By the time the calendar year closes, several planned audits were never completed, creating a gap in audit coverage that the next external audit will find.

Findings sit in a report that was never formally entered into the CAPA system. Corrective actions were discussed at the closing meeting and the process owner implemented a fix, but no verification of effectiveness was documented. The finding technically remains open with no evidence that the corrective action worked.

Auditor pools are never developed. The same two people conduct every audit for five consecutive years, and there is no succession if either one leaves.

A program that cannot demonstrate consistent execution, documented findings, and closed-loop corrective actions is not a functioning QMS element. It is a documentation liability that will surface in the first external review that looks closely.

How a QMS platform supports an internal audit program

Running an internal audit program on spreadsheets and email is manageable for a small team with a narrow scope. For any organization operating across multiple sites, product lines, or regulatory frameworks, the operational overhead becomes significant enough that audit schedules slip and findings lose their follow-through.

A purpose-built QMS handles the infrastructure of the audit program: scheduling, checklists, finding documentation, CAPA generation, assignment and follow-up tracking, effectiveness verification, and management review inputs. Auditors access checklists in the system during the audit, log findings directly, and the system routes those findings to responsible owners with defined due dates. Nothing sits in an email.

When an FDA investigator arrives on-site and requests your audit records under the QMSR framework, the response is not a search through shared drives. It is a report generated from the system showing every scheduled audit, every completed audit, every finding logged, and every corrective action taken — with timestamps and electronic signatures throughout.

Cloudtheapp's Audit Management application covers the full audit lifecycle inside a single FDA-validated platform. Audit programs, individual audit plans, findings, nonconformity classification, CAPA linkage, and effectiveness verification all connect in one system with 60+ configurable applications built for regulated industries. Because the platform is configured to your specific processes and regulatory requirements, the audit checklists reflect your actual SOPs rather than generic templates.

Schedule a demo to see how Cloudtheapp manages the complete internal audit lifecycle in your environment.

Please complete the form to access the Case Study

Please complete the form to access the Case Study

You will receive the webinar link via email once your request has been approved

Sign Up for Cloudtheapp

New to Cloudtheapp?

Access to try Cloudtheapp can be granted after you request a demo to learn how it can transform your operations.

Existing Customer User?

You can proceed with signing up.

New to Cloudtheapp?

Access to try Cloudtheapp can be granted after you request a demo to learn how it can transform your operations.

Existing Customer User?

You can proceed with signing up.

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study